Security

LDAP authentication troubleshooting information

melonman
Motivator

Hi,

I am trying to configure an Splunk's authentication by LDAP.

I have already registered LDAP server and mapped group and role in my Splunk 4.3.2.

It seems Splunk and LDAP server communicates. However, when I tried to login with a user registered in LDAP, the login failed.

I would like to troubleshoot this, but there is not much information about the log file to take a look at for the LDAP authentication troubleshooting regarding Splunk/LDAP Login.

Could anyone point me to the log file or information under SPLUNK_HOME?

Thanks,

Tags (1)
0 Karma
1 Solution

MuS
Legend

hi melonman,

as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:

ldapsearch  -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn"  "userNameAttribute=*"

cheers,

MuS

View solution in original post

kfleming
Explorer

This post will only help Windows/splunk/AD/LDAP people.

I am posting this with the hope it will save someone the pain I just went through.
first of all some of the examples work, some do not.
if the bind works splunkd will not have and error. If it does not, splunkd.log will have errors. bind username as to be domain username for domain that has LDAP/AD connection.
use ADEDIT to get LDAP info.

first thing that is NOT mentioned anywhere that I was able to find in splunk answers
the bind username has to be added to the builtin Windows Authorization Access Group
This has to be done to allow splunk to validate user login.
So even after I got the conf file correct and could see groups, etc. I could not get the login to work...talk about days of screaming frustration.

Second big discovery, is if one of your domain admins loves to organize, splunk (or LDAP) does not deal will with nested OUs. So if users are deep within nested OUs, you will have to do as I did. Give path (i.e. distinguisedName) for every "group/OU".
hope this helps someone even a little.

at the bottom is a working authentication.conf file...with what should be obvious removal of company, domain information.

Basic LDAP configuration

[domaincontroller]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkbind, CN=Users, DC=companynamesystems, DC=com
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
userBaseFilter = (objectclass=*)
groupBaseDN = CN=Users, DC=companynamesystems,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domaincontroller.companynamesystems.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users, DC=companynamesystems, DC=com
userNameAttribute = samaccountname

[authentication]
authSettings = domaincontroller,domainname
authType = LDAP

[domainname]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = splunkbind
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
groupBaseDN = CN=splunk,DC=companyname,DC=com;
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domainnamedc02.companyname.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Sustained Engineering,OU=Corp,DC=companyname,DC=com;OU=Analytics,OU=Corp,DC=companyname,DC=com;OU=Customer Service,OU=Corp,DC=companyname,DC=com;OU=IT Staff,OU=Hyderabad,OU=Corp,DC=companyname,DC=com;OU=Management,OU=Corp,DC=companyname,DC=com;OU=Product Development,OU=Corp,DC=companyname,DC=com;OU=GlobalLogic,OU=Corp,DC=companyname,DC=com;OU=QA,OU=Corp,DC=companyname,DC=com;
userNameAttribute = samaccountname

[roleMap_domainname]
admin = SplunkAdmin
user = SplunkUsers

[roleMap_domaincontroller]

robgarner
Path Finder

I am so deeply grateful for this post - I think you just solved my problem.

0 Karma

MuS
Legend

hi melonman,

as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:

ldapsearch  -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn"  "userNameAttribute=*"

cheers,

MuS

melonman
Motivator

Thanks, MuS!

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...